Cybersecurity skills shortage requires new approach

Sep 6, 2016

Trevor Coetzee, regional director, South Africa and sub-Saharan Africa at Intel Security, writes that businesses all over the globe are battling to close the cybersecurity skills gap as an increase in cloud computing, mobile and the Internet of Things fuels a rise in cyber terrorism.
A recent global skills study by Intel Security and the Center for Strategic and International Studies (CSIS) revealed that 82% of IT professionals believe there is a shortage in the cybersecurity workforce.
While the study surveyed businesses in other countries, we are seeing the same problems in South Africa, where 32% of organisations have experienced cybercrime and 57% believe they will be affected in the next two years.
Because the shortage is a worldwide problem, businesses are not only competing locally for scarce skills, but also with their global counterparts who headhunt skilled practitioners and entice them with premium salaries. The gap left by a mass exodus of skills leaves businesses vulnerable to attack.
Considered broadly, the situation appears quite dire. The tactics used by cybercriminals evolve every day and it’s difficult to keep up; the education system is not producing industry-ready talent; government is not investing enough resources into skills development; and a weak economy is forcing businesses to cut training budgets, which puts existing staff under more pressure.
But there is a way out of this. Here are four areas we can start:

Ongoing training and clear career paths
Internal training seems to be a double-edged sword. We can invest in skills training and risk losing those staff members to higher-paying positions. Or we don’t train staff and risk them leaving anyway for better opportunities, while leaving the business exposed because we don’t have sufficient skills to protect the network.
But training is crucial and it’s a risk we have to take.
South Africans are aspirational workers who want to move quickly up the ranks. Businesses should establish clear career paths, supported by training and internships, for cybersecurity professionals who know that, even though they might start out in a call centre position, they could end up in a more skilled position five years down the line. If staff know there is room for development, they’re more likely to stay.
Gaining certification in cybersecurity skills is expensive and can be a deterrent to many entering the industry. By subsidising or covering certifications in full, businesses will more easily attract and retain talent.

Adopt new education models
The current education system is not producing workplace-ready skills, hence the need for ongoing training at the organisational level.
At the basic education level, children are not excited to study science, technology, engineering and mathematics (STEM) subjects and there’s still a perception that cybersecurity is not a “cool” career. But if all they have to go on is the theory they’re currently being taught, can we really blame them?
Education can be more exciting through hands-on training, hackathons and gaming. The Intel Security survey found that hackathons were a great way to identify talent and develop skills.
The problem, however, is that once we’ve fostered this interest, students enter a tertiary education setup that does not give them the opportunity to specialise in cybersecurity, or at a minimum, a very limited scope that includes IT security. Rather, they walk away with computer or information science qualifications and have to find the money to pay for security certifications – unless they’re lucky enough to land a job that has a solid training programme in place.
And herein lies another problem. Companies looking for cybersecurity skills want a tertiary qualification as an entry-level requirement when, in reality, anyone can be upskilled – with relevant baseline qualification, such as a CISSP and experience or exposure to generalist IT environments, people could become good all-round security practitioners. Once we lower the barriers to entry, we’ll widen the pool of available talent and be able to offer opportunities to those who cannot afford tertiary education.

Diversify the industry
Along with lowering barriers to entry, we also need to diversify the industry to attract more female and minority talent. Cybersecurity is still a male-dominated industry but if we make it more attractive to women and minorities, we’ll also widen the talent pool.

Do more with less
I’m not talking about less skills but rather about being smarter with the skills we do have. Too many IT resources are bogged down by tasks that could be automated. The Intel Security study identified intrusion detection, secure software development and attack mitigation as among the most in-demand skills, yet IT departments are overwhelmed by many functions that can be consolidated and automated.
The skills shortage, coupled with the burden of unnecessary tasks, is putting a lot of pressure on IT staff, who are at risk of burnout. By automating some of the day-to-day tasks, IT resources will be freed up to focus on more advanced threats to the organisation.
At the end of the day, government and the private sector are equally responsible for ensuring a stable and consistent supply of cybersecurity talent through more modern education programmes, ongoing training and development of staff, and through changing the perception of the industry.
The reality is that every single industry needs cybersecurity expertise, especially as more local and African businesses move into the cloud and adopt mobile working practices. If we are to make any difference to the massive skills shortage, we need to make immediate and long-term changes to attract and retain the best talent possible.